b'\x0cFY 2008 OFFICE OF INSPECTOR GENERAL \n \n\nFISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION \n \n\n  TECHNOLOGY SECURITY PROGRAM \n \n\n  REPORT NUMBER A080081/O/T/F08016 \n \n\n\n          September 11, 2008 \n \n\n\x0c                                                                                                                 \xe2\x80\xa2\n\n\n\n\n                U.S. GENERAL SERVICES ADMINISTRATION\n                Office of Inspector General\n\n\n\n\nDate:\t \t        September 11, 2008\n \n\n\nReply to        Gwendolyn A. McGowan\n \n\nAttn of:        Deputy Assistant Inspector General for Information Technology Audits (JA-T)\n \n\n\nTo:\t \t          Casey Coleman\n                ChiefInformation Officer (1)\n\nSubject:\t \t     FY 2008 Office of Inspector General FISMA Review of GSA\'s Information\n                Technology Security Program, Report Number A08008110lTIF08016\n\n\nThe Federal Information Security Management Act of 2002 (FISMA) provides a framework for\nsecuring Federal information systems including: (l) assurance of the effectiveness of information\nsecurity controls over information resources; (2) development and maintenance of minimum controls\nrequired to protect Federal information and information systems; and (3) a mechanism for improved\noversight of agency information security programs. This audit report presents the results of the\nInspector General\'s Fiscal Year (FY) 2008 independent evaluation of the General Services\nAdministration\'s (GSA) agency-wide Information Technology (IT) Security Program, as required by\nFISMA, and reflects results from our system security audits. Our response to specific questions in\nthe OMB FY 2008 reporting template for FISMA is attached as Appendix A. To clarify our\nassessment of privacy controls addressed by the FISMA reporting template, we are also providing a\ncopy of our recent report on the GSA Privacy Program I . Both audit reports are provided for\ninclusion as an appendix in GSA\'s FY 2008 FISMA report to be submitted to the Office of\nManagement and Budget (OMB) by October 1, 2008. Our assessment of the GSA IT Security\nProgram also considered audit findings from two recent IT audits l ,2 issued in FY 2008.\n\nObjectives, Scope, and Methodology\n\nThe objective of this audit was to assess the effectiveness of controls over GSA systems and data and\nto address specific questions and reporting requirements identified by OMB. We reviewed four GSA\nsystems, including one contractor system, to assess implementation of GSA\'s IT Security Program.\nAppendix B provides additional information on the systems reviewed. We considered results from\nthese system security audits, along with other recent audit work, with our responses to the OMB\nFISMA reporting template. FISMA audit work relied on GSA\'s IT Security Policy 3, procedures,\nstandards, and guides for implementing GSA\'s IT Security Program. We met with Agency IT\nsecurity officials in the Office of the GSA Chief Information Officer (GSA-CIO) and in Services,\n\n\n1 Improvements to the GSA Privacy Act Program Are Needed to Ensure that Personally Identifiable Information\n \n\n\n(PiI) Is Adequately Protected, Report Number A06022S/OIT/FOS007, March 31, 200S.\n \n\n2 Work Remains in Implementing a Fully Integrated Pegasys Financial Management System, Report Number\n \n\nA070094/B/TIFOS009, June 23, 200S.\n \n\n3 GSA Order C/O P 2100.1D - GSA Information Technology (IT) Security Policy, June 21,2007.\n \n\n\n\n                       24118th Street 5., CS4, Suite 607, Arlington, VA 22202-3402\n                                                      ~\n\n                             Federal Recycling Program ~, Printed on Recycled Paper\n\n\x0cStaff Offices, and Regions (S/SO/R), including the Office of the Chief Acquisition Officer, Office of\nthe Chief Human Capital Officer (CHCO), Federal Acquisition Service, Office of General Counsel,\nand Public Buildings Service. We also met with the GSA Senior Agency Information Security\nOfficer (SAISO), and the Information System Security Managers (ISSMs) and Information System\nSecurity Officers (ISSOs) for select systems. To assess security controls, we applied the National\nInstitute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS)\nPublications 4 and Special Publication (SP) 800 series security guidelines. In our review of GSA\'s IT\nSecurity Program, we evaluated the implementation of information security program elements from\nNIST SP 800-100, Information Security Handbook: A Guide for Managers, October 2006. To assess\nthe effectiveness of GSA\xe2\x80\x99s IT Security Program implementation, we examined system risk\nassessments, security plans, security assessment results, certification and accreditation (C&A) letters,\ncontingency plans, and system- and program-level Plans of Action and Milestones (POA&M). We\nalso conducted vulnerability scanning and database configuration testing, and reviewed\nenvironmental and physical security, background investigations, and training. System security audits\nincluded a detailed assessment of web applications. To assess security over GSA\xe2\x80\x99s publicly facing\nweb applications, we tested for encryption of logins, use of government domains, and use of\nvalidated cryptography. We tested for leakage of GSA information using peer-to-peer file sharing\nnetworks and a search engine. In addition to FISMA, NIST, and GSA guidance, we applied other\napplicable regulations and policies, including Homeland Security Presidential Directive (HSPD) 12 \xe2\x80\x93\nPolicy for a Common Identification Standard for Federal Employees and Contractors, August 2004,\nand the following OMB memoranda: M-05-04, Policies for Federal Agency Public Websites,\nDecember 2004; M-06-16, Protection of Sensitive Agency Information, May 2006; M-07-11,\nImplementation of Commonly Accepted Security Configurations for Windows Operating Systems,\nMarch 2007; and M-07-16, Safeguarding Against and Responding to the Breach of Personally\nIdentifiable Information, May 2007.\n\nWe also considered information from an interim audit memorandum, dated September 3, 2008,\nwhich alerted GSA Management that sensitive but unclassified information is being maintained by\napplication service providers (ASP) and there does not appear to be an inventory of the projects using\nthese applications. The memorandum noted that neither the GSA Office of the Senior Agency\nInformation Security Officer nor the Service Office of the CIO had any record of these applications\nor whether they meet all GSA security requirements. These ASPs were not procured through an IT\nvehicle and have no visibility through annual OMB Exhibit 53 submissions developed for GSA\xe2\x80\x99s IT\ninvestment portfolio.\n\nWe conducted this performance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objectives.\n\n\n\n\n4\n  FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems,\nFebruary 2004, requires systems to be categorized as high, moderate, or low impact. FIPS Publication 200,\nMinimum Security Requirements for Federal Information and Information Systems, March 2006, specifies minimum\nsecurity requirements for information and information systems supporting the executive agencies of the federal\ngovernment and a risk-based process for selecting the security controls necessary to satisfy the minimum security\nrequirements.\n\n                                                       2                                                        \n\n\x0c                                       RESULTS OF AUDIT\n \n\n\nGSA\xe2\x80\x99s Information Technology (IT) Security Program incorporates designated security roles and\nresponsibilities and NIST guidance into Agency policies and procedures. In addition, GSA has taken\nsteps to identify and reduce risks through implementation of additional management, operational, and\ntechnical controls. However, inconsistent implementation of controls and insufficient management\noversight of contractors continue to hinder GSA\'s IT Security Program from being fully effective in\nidentifying and managing risks for all GSA systems and data. Deficiencies in the following four\nareas adversely impact the effectiveness of GSA\xe2\x80\x99s IT Security Program: 1) contractor oversight, 2)\nprotection of sensitive information, 3) security of publicly facing websites, and 4) controls for minor\napplications. Management oversight of contractor-supported systems reviewed this year had not\nensured that risks were adequately managed, since task-order requirements and deliverables were not\ncomprehensive. To protect sensitive information, steps are needed to implement encryption of\nmobile devices and two-factor authentication for remote access, and to establish a complete breach\nnotification policy. GSA has not consistently secured its public web presence through: the protection\nof login credentials, support for required encryption, and consistent use of government domains. We\nalso found minor applications where security controls were not adequate to address risk. Consistent\nimplementation and sufficient management oversight of IT security requirements are essential for\neffectively securing GSA\xe2\x80\x99s diverse and decentralized IT environment. To enhance and strengthen\nGSA\xe2\x80\x99s IT Security Program and to more consistently secure vital systems and sensitive data, we\nrecommend that the GSA Chief Information Officer (GSA-CIO) take additional steps to enhance\nmanagement, operational, and technical controls for each of these areas. Appendix A provides\nresponses to specific Office of Inspector General (OIG) questions identified in the annual OMB\nFISMA template, including supplemental information as needed. Additional information on select\nsystems reviewed is included in Appendix B.\n\nContractor Oversight Was Inadequate\n\nGSA\xe2\x80\x99s oversight of contractor-supported systems could be more comprehensive, as evidenced in two\nareas of risk: (1) inadequately secured contractor-supported systems had configuration management\nweaknesses; and (2) inconsistent contractor background investigations were performed for\ncontractors supporting three of four systems reviewed. GSA\xe2\x80\x99s IT Security Policy requires all\nsystems to be securely hardened and patched. Technical testing of operating system, database, and\nweb application security found that all of the reviewed systems had configuration management\nweaknesses in at least one of these areas. System security officials did not effectively monitor\ncontractors performing system security services and did not ensure that system security controls were\nappropriately implemented. Assessments of task order requirements related to system support\nservices revealed that the task orders for two systems included inadequate deliverables and did not\nenable system officials to identify instances where hardening and patching requirements were not\nmet. Delays in hardening and patching resulted in configuration management weaknesses and\nexposed the affected systems to undue risks that could affect the confidentiality, integrity, or\navailability of GSA systems and data. To address risks with contractor oversight, the GSA-CIO\nshould collaborate with the Office of the Chief Acquisition Officer to develop and implement\nperformance-based deliverables for contract and task order requirements needed to direct system\nacquisition and IT support services.\n\nBackground investigations were not appropriately performed for contractors supporting three of four\nsystems we reviewed. Background investigations were not completed in a timely manner for one\nsystem, and background investigations performed for two other systems were inconsistent with the\nGSA IT Security Policy. The system without timely background investigations had contract task\norders without background investigation requirements. The failure to perform appropriate and timely\n\n                                                  3                                                   \n\n\x0cbackground investigations means that contractors for the affected systems were granted privileged\naccess without appropriate background investigations, placing GSA systems and data at risk of\ninsider attack. We found that there is confusion on the requirements for background investigations.\nFor instance, the GSA IT security policy states that \xe2\x80\x9cBackground investigation requirements for\naccess to GSA information systems (including contractor operations containing GSA information)\nshall be IAW the OCHCO/OCIO HSPD-12 Personal Identity Verification and Credentialing\nStandard Operating Procedure (SOP) and GSA Handbook ADM 9732.1C, \xe2\x80\x98Suitability and Personnel\nSecurity\xe2\x80\x99.\xe2\x80\x9d However, GSA Handbook ADM 9732.1C is currently expired without a replacement,\nand there is a conflict between the HSPD-12 SOP and the FPS Implementation Plan for NonPBS-\nContractors. The HSPD-12 SOP requires a Minimum Background Investigation (MBI)/Limited\nBackground Investigation (LBI) for moderate risk positions, but contractor investigation\nrequirements in the FPS Implementation Plan for NonPBS-Contractors also allow for an NACIC\ninvestigation for moderate risk positions. Further, we found that there are not specific background\ninvestigation task order requirements in the Federal Acquisition Regulation (FAR) and General\nServices Administration Acquisition Regulation. Inconsistent implementation of background\ninvestigation procedures has been a risk identified with our FISMA and Government Information\nSecurity Reform Act audits since 2002. To address known weaknesses with GSA\xe2\x80\x99s background\ninvestigation process, the GSA-CIO should resolve inconsistencies with background investigation\nrequirements in policies, procedures, and task orders, through careful collaboration with the Office of\nthe Chief Acquisition Officer and the Office of the CHCO.\n\nAdditional Steps Are Needed to Protect Sensitive Information\n\nThe GSA Chief Human Capital Officer (CHCO) and GSA-CIO have not completed all actions\nnecessary to ensure the adequate protection of sensitive information including the implementation of\na comprehensive breach notification policy and OMB Memorandum M-06-16 requirements. Issued\nin June 2006, M-06-16 requires that all agencies encrypt data on mobile devices, implement a 30-\nminute timeout for remote access and mobile devices, use two-factor authentication for remote\naccess, and log all computer-readable data extracts from databases holding Personally Identifiable\nInformation (PII), ensuring that those extracts are erased within 90 days. Subsequently issued in\nMay 2007, OMB Memorandum M-07-16 requires agencies to develop and implement a breach\nnotification policy within 120 days of the memorandum\xe2\x80\x99s issuance and to develop that policy with\nthe proper safeguards in place to protect the information, including M-06-16 requirements. The\nbreach notification policy, completed by the CHCO in response to OMB Memorandum M-07-16, has\nnot comprehensively addressed the timeliness of breach notifications, the source in the Agency of\nthose notifications, and the notification of other agencies or the posting of notifications on the web.\nThis means that GSA officials may not respond to a data breach in a timely, effective, and\ncomprehensive manner.\n\nIncomplete implementation of M-06-16 requirements was reported in a March 2008 audit report on\nGSA\xe2\x80\x99s Privacy Act Program, which recommended implementing remaining controls required by M-\n06-16 for systems maintaining PII. The audit report also recommended that the CHCO work closely\nwith the CIO to: 1) ensure that the Privacy Act Program is integrated with the Agency\xe2\x80\x99s security\nprogram and assesses risk with and identifies controls for all PII, including PII residing outside of\nmajor IT systems; 2) periodically assess the need for and potential uses of automated content\nmanagement and data leakage tools or other procedures to assist in identifying and protecting PII\nwithin GSA\xe2\x80\x99s IT and system environment; 3) confirm that required security hardening guides are\nbeing followed and that vulnerabilities are promptly recorded and mitigated for major IT systems that\ncollect and store PII; and 4) develop a plan that includes the key activities, milestones, and\nperformance measures necessary to guide GSA in discontinuing the collection and storage of social\nsecurity numbers in IT systems where no longer required. Subsequent to the Privacy Act Program\n\n                                                  4                                                   \n\n\x0creport, the GSA CHCO issued a new rules and consequences policy 5 instructional letter on July 29,\n2008. Our FISMA review did not consider implementation of this new policy.\n\nWithin GSA, primary management control responsibilities for protecting sensitive information,\nincluding PII, are dispersed among several key officials. The CHCO is the Senior Agency Official\nfor Privacy, the GSA official responsible for establishing and overseeing the Agency\xe2\x80\x99s Privacy Act\nProgram and for ensuring GSA\xe2\x80\x99s compliance with privacy laws, regulations and GSA policy. The\nGSA-CIO has overall responsibility for the Agency\xe2\x80\x99s IT Security Program. The GSA-CIO has\nincluded M-06-16 requirements in the GSA IT Security Policy and implemented a 30-minute timeout\nfor remote access and mobile devices. However, GSA has not implemented encryption of mobile\ndevices and two-factor authentication for remote access.           GSA\xe2\x80\x99s laptops with encryption are\nprimarily new devices or those that have been identified as containing PII. Without an emphasis on\ncompleting mobile device encryption, the remaining laptops containing unidentified PII or other\ntypes of sensitive data may be at risk in the event a laptop is lost or stolen. As of August 2008, two\nyears after M-06-16 was issued, less than 1,800 of the 8,000 laptop computers identified by GSA\nhave been encrypted. At the current rate, GSA will not accomplish the encryption solution roll-out\nplanned to be completed by December 2008. Further, GSA\xe2\x80\x99s scheduled implementation of two-\nfactor authentication is dependent on the full deployment of Personal Identity Verification (PIV)\ncards required by HSPD-12. However, only 35 percent of employees and 2 percent of contractors\nhave received their PIV cards, as of June 2008. This places GSA in jeopardy of missing the planned\ncompletion date of September 2009 for implementing two-factor authentication. To promptly fulfill\nimplementation responsibilities for M-06-16 and M-07-16 and address these system security\nweaknesses, the GSA-CIO should expedite efforts to effectively protect all sensitive information,\nincluding PII.\n\nPublicly Facing Web Sites Were Not Consistently Secured\n\nGSA has not consistently secured its public web presence through: 1) the protection of login\ncredentials, 2) support for required encryption, and 3) consistent use of government domains. First,\nwe assessed 38 of GSA\xe2\x80\x99s publicly facing web applications and identified nine that did not employ\nencryption to protect login credentials. Without encryption, these credentials may be susceptible to\ncompromises of privacy and confidentiality of data, regardless of whether it is being transmitted or\nstored on a computer when encrypted. Specifically, when proper protection mechanisms are not\nused, transmitted usernames and passwords are susceptible to eavesdropping attacks, disclosing the\ncredentials to attackers. NIST SP 800-53 (control IA-5) states that password-based authentication\nshould protect passwords from unauthorized disclosure and modification when stored and\ntransmitted. In addition, there is an increased risk of compromise of other systems, if individuals use\nthe same password on multiple systems. Second, our assessment identified an additional nine GSA\npublicly facing web applications that did not support the use of Transport Layer Security (TLS)\nencryption in conformance with FIPS 140-2 requirements. OMB M-07-11 requires that agencies\nadopt the Federal Desktop Core Configuration (FDCC) common security configurations for\nWindows XP or Vista devices, which include web browser settings that will only allow secure\nconnections through TLS encryption. NIST SP 800-53 (control IA-7) requires that information\nsystems employ authentication methods that meet the requirements of the federal standard for\nauthentication to a cryptographic module is FIPS 140-2 (as amended). GSA customers and other\nsystem users who have adopted FDCC requirements will not be able to connect to GSA\xe2\x80\x99s nine non-\ncompliant sites. Lastly, our assessment identified six GSA publicly facing web applications hosted\non .com domains, which are not approved for federal websites. The consistent use of government\ndomains is required to provide added confidence and quality to the information provided by Federal\n\n5\n    HCO IL-08-1, GSA Rules of Behavior for Handling Personally Identifiable Information (PII), July 29, 2008.\n\n                                                          5                                                     \n\n\x0cagencies. Additionally, the use of non-government domains could increase risks of phishing attacks\nwhere deception is used to play on the public\xe2\x80\x99s trust of the legitimate entity. OMB M-05-04 states\nthat unless specified by the agency head, all federal agencies are only to use .gov, .mil, or Fed.us\ndomains. These vulnerabilities could be prevented through improved application development\nprocesses and enhanced monitoring of GSA\xe2\x80\x99s public web presence. To mitigate the risks associated\nwith the Agency\xe2\x80\x99s external web presence, the GSA-CIO should enhance monitoring of GSA\'s public\nweb presence, and ensure that all of GSA\'s publicly facing web applications: 1) encrypt login\ncredentials, 2) support FIPS 140-2 encryption, and 3) use approved Government domains for GSA\nweb applications.\n\nRisks With Minor Applications Were Not Always Addressed\n\nSystem officials did not adequately address security requirements for minor applications 6 . For one\nof the four systems included in this year\xe2\x80\x99s FISMA review, the certification and accreditation process\ndid not identify significant risks associated with four reviewed minor applications in the following\nareas:\n    1) Databases, web applications, and operating systems were not hardened;\n    2) The certification and accreditation process did not identify all interconnections and did not\n        identify risk with single sign-on; and\n    3) The system owner did not perform e-authentication risk assessments.\nA contributing cause for control weaknesses in minor applications with this system was that the task\norder procuring system services contained security requirements, but did not contain sufficient\nperformance-based deliverables that would have alerted system security officials to gaps in\nadherence to GSA\xe2\x80\x99s IT Security Policy, procedures, and hardening guidelines. Specifically,\nprocurement deliverables did not demonstrate that web applications were appropriately secured for\nthe system. Compliance with the GSA IT Security Policy and its requirements is mandatory for all\nsystems, including minor applications. This means that hardening of minor applications should\nfollow NIST and/or GSA guidance to the greatest extent possible. Minor applications should also be\ncovered by e-authentication risk assessments in accordance with OMB M-04-04 when allowing\nauthentication of users for the purpose of conducting government business electronically.\nWeaknesses in securing minor applications occurred when system owners focused on the major\ncomponents within their system boundaries and the GSA IT Security policy and its related\nprocedures, including procedural guides for conducting system certifications and accreditations, do\nnot explicitly address minor applications.\n\nIn June 2008, an audit of GSA\xe2\x80\x99s financial management system identified systematic access control\nweaknesses with 45 minor web applications that put sensitive data at increased risk for disclosure.\nThe June 2008 financial management system audit report recommended that the Chief Financial\nOfficer work with GSA Services, Staff Offices, and Regions to improve security and privacy controls\nfor sensitive system data, including: 1) strengthening system certification and accreditation processes\nto ensure that risks with and controls for system interfaces, data criticality and sensitivity, and\ninformation sharing are addressed; 2) defining and identifying sensitive Agency, customer, and\nvendor data maintained in the system and related web applications and feeder systems; 3)\nconsidering the use of encryption and/or masking of sensitive data that resides, or is transmitted to,\nweb applications; 4) establishing appropriate access controls for web applications that interface with\nand/or process system data; and 5) evaluating whether unauthorized access to sensitive system data,\nincluding PII residing on financial web applications, was obtained as a result of weaknesses in\n\n6\n  According to NIST SP 800-37, a minor application is an application, other than a major application, that requires\nattention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to\nor modification of the information in the application.\n\n                                                          6                                                          \n\n\x0csecurity and privacy controls. To ensure system officials address risks with minor applications, the\nGSA-CIO should carefully consider the adequacy of the Agency\xe2\x80\x99s IT Security Policy and related\nprocedures and more thoroughly address requirements for securing minor applications.\n\nConclusion\n\nTo address deficiencies adversely impacting the effectiveness of GSA\xe2\x80\x99s IT Security Program,\nadditional actions are needed in four areas. More consistent implementation of controls and\nmanagement oversight of contractors will assist GSA\'s IT Security Program in more effectively\nidentifying and managing risks for all systems and data. The implementation of a comprehensive\nbreach notification policy and expedited actions to implement OMB requirements will improve\nprotection of sensitive information. Enhanced monitoring of GSA\'s external web presence will\nreduce associated risks. Updating policies and procedures to specifically address minor applications\nwill result in improved security.\n\nRecommendations\n\nTo strengthen GSA\'s IT Security Program and improve the security of information technology assets,\nwe recommend that the GSA, Chief Information Officer take actions to:\n   1.\t Work with the Office of the Chief Acquisition Officer to develop standard requirements and\n        deliverables for IT service contracts and task orders that promote compliance with GSA IT\n        Security Policy and procedures.\n   2.\t Work with the Office of the Chief Acquisition Officer and the Office of the Chief Human\n        Capital Officer to ensure consistent background investigation requirements in policies,\n        procedures, and task orders.\n   3.\t Expedite actions to implement encryption of mobile devices and two-factor authentication,\n        and work with the Office of the Chief Human Capital Officer to promptly fulfill\n        responsibilities for implementing a comprehensive breach notification policy.\n   4.\t Enhance monitoring of GSA\'s public web presence and ensure that all of GSA\'s publicly\n        facing web applications:\n            a.\t Encrypt login credentials.\n            b.\t Support Federal Information Processing Standards (FIPS) Publication 140-2\n                encryption.\n            c.\t Use approved Government domains for GSA web applications.\n   5.\t Ensure that the IT Security Policy thoroughly addresses requirements for the need for\n        securing minor applications.\n\nManagement Comments\n\nThe GSA-CIO concurred with the findings and recommendations outlined in this report. A copy of\nthe GSA-CIO\'s comments is included in its entirety in Appendix C.\n\n\n\n\n                                                 7                                                 \n\n\x0cInternal Controls\n\nAs discussed in the Objectives, Scope, and Methodology section of this report, the objective of our\nreview was to assess the effectiveness of controls over GSA systems and data and to address specific\nquestions and reporting requirements identified by OMB. While this audit included a review of\nmanagement, operational, and technical controls for four GSA systems, we did not test all system\ncontrols across the Agency. The Results of Audit and Recommendations sections of this report state,\nin detail, the need to strengthen specific management, operational, and technical controls with the\nGSA IT Security Program.\n\n\nWe would like to express our thanks to the GSA-CIO and her staff for their assistance and\ncooperation during the audit. An electronic copy of this report comprised of three files is being\nprovided for inclusion in the GSA FISMA report to OMB and Congress. Please contact me if you\nhave any questions regarding this report.\n\n\n\n   t/~\nLarry Bateman\nDirector, Information Technology Security Audit Services\nInformation Technology Audit Office (JA-T)\n\n\n\n\n                                                 8\n \n\n\x0c                  FY 2008 OFFICE OF INSPECTOR GENERAL \n \n\n                  FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION \n \n\n                    TECHNOLOGY SECURITY PROGRAM \n \n\n                    REPORT NUMBER A080081/O/T/F08016 \n \n\n\n                                   APPENDIX A\n \n\n\n         GSA, OFFICE OF INSPECTOR GENERAL RESPONSES TO\n \n\n    THE OFFICE OF MANAGEMENT AND BUDGET\xe2\x80\x99S FISMA QUESTIONS\n \n\n\n\n\n        The EXCEL Workbook displayed here is transmitted in a separate file \n \n\n  using the format directed by the Office of Management and Budget. Supplemental \n \n\ninformation submitted with responses to this EXCEL Workbook is also displayed here. \n \n\n\x0c                                                                   Section C - Inspector General: Questions 1 and 2\nAgency Name:                                               General Services Administration                                                 Submission date:           September 11, 2008\n                                                                              Question 1: FISMA Systems Inventory\n\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact level (high,\nmoderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all Component/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other\norganization on behalf of an agency. The total number of systems shall include both agency systems and contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by\ncontractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a\nshared responsibility for FISMA compliance.\n\n\n                                               Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems\nwhich have: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested in accordance with policy.\n\n                                                                                                        Question 1                                              Question 2\n                                                                                     a.                     b.                  c.                a.                  b.                c.\n                                                                               Agency Systems       Contractor Systems   Total Number of      Number of          Number of         Number of\n                                                                                                                            Systems        systems certified systems for which systems for which\n                                                                                                                          (Agency and       and accredited    security controls contingency plans\n                                                                                                                           Contractor                         have been tested have been tested\n                                                                                                                            systems)                          and reviewed in in accordance with\n                                                                                                                                                                the past year         policy\n\n\n\n                                                                                                                                    Total\n                                                           FIPS 199 System               Number          Number   Total                      Total   Percent Total   Percent Total   Percent\nBureau Name                                                                   Number             Number                            Number\n                                                           Impact Level                 Reviewed        Reviewed Number                     Number of Total Number of Total Number of Total\n                                                                                                                                  Reviewed\nPublic Buildings Service (PBS)                             High                                                               0           0\n                                                           Moderate                11           1                            11           1        1   100%        1   100%        1   100%\n                                                           Low                                                                0           0\n                                                           Not Categorized                                                    0           0\n                                                           Sub-total               11           1         0          0       11           1        1   100%        1   100%        1   100%\nFederal Acquisition Service (FAS)                          High                                           1                   1           0\n                                                           Moderate                 2                    21          1       23           1        1   100%        1   100%        1   100%\n                                                           Low                      1                     3                   4           0\n                                                           Not Categorized                                                    0           0\n                                                           Sub-total                3           0        25          1       28           1        1   100%        1   100%        1   100%\nOffice of the Chief Acquisition Officer (OCAO)             High                                                               0           0\n                                                           Moderate                                        4                  4           0\n                                                           Low                      2                      1                  3           0\n                                                           Not Categorized                                                    0           0\n                                                           Sub-total                2           0          5         0        7           0        0               0               0\nOffice of Governmentwide Policy (OGP)                      High                                                               0           0\n                                                           Moderate                 1                     5                   6           0\n                                                           Low                      4                     2                   6           0\n                                                           Not Categorized                                                    0           0\n                                                           Sub-total                5           0          7         0       12           0        0               0               0\nOffice of the Chief Information Officer (OCIO)             High                                                               0           0\n                                                           Moderate                15           1                            15           1        1   100%        1   100%        1   100%\n                                                           Low                                                                0           0\n                                                           Not Categorized                                                    0           0\n                                                           Sub-total               15           1          0         0       15           1        1   100%        1   100%        1   100%\nOffice of the Chief Financial Officer (OCFO)               High                                                               0           0\n                                                           Moderate                 1                      3                  4           0\n                                                           Low                                                                0           0\n                                                           Not Categorized                                                    0           0\n                                                           Sub-total                1           0          3         0        4           0        0               0               0\nOffice of the Chief Human Capital Officer (OCHCO)          High                                                               0           0\n                                                           Moderate                                        2                  2           0\n                                                           Low                                                                0           0\n                                                           Not Categorized                                                    0           0\n                                                           Sub-total                0           0          2         0        2           0        0               0               0\nOffice of Inspector General (OIG)                          High                                                               0           0\n                                                           Moderate                 1                                         1           0\n                                                           Low                                                                0           0\n                                                           Not Categorized                                                    0           0\n                                                           Sub-total                1           0          0         0        1           0        0               0               0\nOffice of General Counsel (OGC)                            High                                                               0           0\n                                                           Moderate                                                           0           0\n                                                           Low                      1           1                             1           1        1   100%        1   100%        1   100%\n                                                           Not Categorized                                                    0           0\n                                                           Sub-total                1           1          0         0        1           1        1   100%        1   100%        1   100%\nBoard of Contract Appeals (BCA)                            High                                                               0           0\n                                                           Moderate                                                           0           0\n                                                           Low                      1                                         1           0\n                                                           Not Categorized                                                    0           0\n                                                           Sub-total                1           0          0         0        1           0        0               0               0\nOffice of Citizen Services and Communications (OCSC)       High                                                               0           0\n                                                           Moderate                                                           0           0\n                                                           Low                                             2                  2           0\n                                                           Not Categorized                                                    0           0\n                                                           Sub-total                0           0          2         0        2           0        0               0               0\n\n\n\n                                                                                                A-1\n\x0c                                                                Section C - Inspector General: Questions 1 and 2\nAgency Name:                                            General Services Administration                                                      Submission date:              September 11, 2008\n                                                                            Question 1: FISMA Systems Inventory\n\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact level (high,\nmoderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all Component/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other\norganization on behalf of an agency. The total number of systems shall include both agency systems and contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by\ncontractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a\nshared responsibility for FISMA compliance.\n\n\n                                          Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems\nwhich have: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested in accordance with policy.\n\n                                                                                                      Question 1                                                    Question 2\n                                                                                   a.                     b.                  c.                    a.                  b.                c.\n                                                                             Agency Systems       Contractor Systems   Total Number of          Number of          Number of         Number of\n                                                                                                                          Systems            systems certified systems for which systems for which\n                                                                                                                        (Agency and           and accredited    security controls contingency plans\n                                                                                                                         Contractor                             have been tested have been tested\n                                                                                                                          systems)                              and reviewed in in accordance with\n                                                                                                                                                                  the past year         policy\n\n\n\n                                                                                                                                  Total\n                                                        FIPS 199 System                 Number          Number   Total                    Total        Percent     Total   Percent     Total   Percent\nBureau Name                                                                 Number              Number                           Number\n                                                        Impact Level                   Reviewed        Reviewed Number                   Number        of Total   Number   of Total   Number   of Total\n                                                                                                                                Reviewed\nOffice of Emergency Response and Recovery (OERR)        High                                                                0            0\n                                                        Moderate                                         1                  1            0\n                                                        Low                                                                 0            0\n                                                        Not Categorized                                                     0            0\n                                                        Sub-total                  0          0         1          0        1            0         0                   0                   0\nAgency Totals                                           High                       0          0         1          0        1            0         0                   0                   0\n                                                        Moderate                  31          2        36          1       67            3         3      100%         3      100%         3      100%\n                                                        Low                        9          1         8          0       17            1         1      100%         1      100%         1      100%\n                                                        Not Categorized            0          0         0          0        0            0         0                   0                   0\n                                                        Total                     40          3        45          1       85            4         4      100%         4      100%         4      100%\n                                                                           = Data Entry Cells\n                                                                           = Editable Calculations (no Data Entry-ONLY edit Formulas when necessary)\n\n\n\n\n                                                                                              A-2\n\n\x0c                                             Section C - Inspector General: Question 3\nAgency Name:    General Services Administration\n               Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n      3.a.      The agency performs oversight and evaluation to ensure information systems used or operated by\n                a contractor of the agency or other organization on behalf of the agency meet the requirements of\n                FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n                Agencies are responsible for ensuring the security of information systems used by a contractor of their\n                agency or other organization on behalf of their agency; therefore, self reporting by contractors does not\n                meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service\n                provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA            Frequently (71-80% of the\n                compliance.                                                                                                   time)\n\n                Response Categories:\n                 - Rarely- for example, approximately 0-50% of the time\n                 - Sometimes- for example, approximately 51-70% of the time\n                 - Frequently- for example, approximately 71-80% of the time\n                 - Mostly- for example, approximately 81-95% of the time\n                 - Almost Always- for example, approximately 96-100% of the time\n\n                The agency has developed a complete inventory of major information systems (including major\n      3.b.      national security systems) operated by or under the control of such agency, including an\n                identification of the interfaces between each such system and all other systems or networks,\n                including those not operated by or under the control of the agency.\n                                                                                                                              Inventory is 96-100%\n                Response Categories:\n                                                                                                                              complete\n                 - The inventory is approximately 0-50% complete\n                 - The inventory is approximately 51-70% complete\n                 - The inventory is approximately 71-80% complete\n                 - The inventory is approximately 81-95% complete\n                 - The inventory is approximately 96-100% complete\n\n      3.c.      The IG generally agrees with the CIO on the number of agency-owned systems. Yes or No.                                  Yes\n\n                The IG generally agrees with the CIO on the number of information systems used or operated by a\n      3.d.                                                                                                                              Yes\n                contractor of the agency or other organization on behalf of the agency. Yes or No.\n\n      3.e.      The agency inventory is maintained and updated at least annually. Yes or No.                                            Yes\n\n                If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please identify the known missing systems\n      3.f.      by Component/Bureau, the Unique Project Identifier (UPI) associated with the system as presented in your FY2008 Exhibit\n                53 (if known), and indicate if the system is an agency or contractor system.\n\n                                                                                                  Exhibit 53 Unique Project\n                                                                                                                                Agency or Contractor\n                              Component/Bureau                            System Name                  Identifier (UPI)\n                                                                                                                                     system?\n                                                                                                     {must be 23-digits}\n                                                                See supplemental information.\n\n\n\n\n                Number of known systems missing from\n                inventory:\n                                                                = Data Entry Cells\n\n\n\n\n                                                                        A-3\n\n\x0c                                                      Section C - Inspector General: Questions 4 and 5\nAgency Name:         General Services Administration\n                                         Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process. Evaluate the\ndegree to which each statement reflects the status in your agency by choosing from the responses provided. If appropriate or necessary, include comments in\nthe area provided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s status.\n\nResponse Categories:\n - Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n - Frequently- for example, approximately 71-80% of the time\n - Mostly- for example, approximately 81-95% of the time\n - Almost Always- for example, approximately 96-100% of the time\n                    The POA&M is an agency-wide process, incorporating all known IT security weaknesses associated with information\n                                                                                                                                    Almost Always (96-100% of the\n       4.a.         systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the\n                                                                                                                                    time)\n                    agency.\n                     When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system)       Almost Always (96-100% of the\n        4.b.\n                     develop, implement, and manage POA&Ms for their system(s).                                                            time)\n                     Program officials and contractors report their progress on security weakness remediation to the CIO on a regular      Almost Always (96-100% of the\n        4.c.\n                     basis (at least quarterly).                                                                                           time)\n\n                                                                                                                                           Almost Always (96-100% of the\n        4.d.         Agency CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.\n                                                                                                                                           time)\n                                                                                                                                           Almost Always (96-100% of the\n        4.e.         IG findings are incorporated into the POA&M process.\n                                                                                                                                           time)\n                     POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed Almost Always (96-100% of the\n        4.f.\n                     in a timely manner and receive appropriate resources.                                                            time)\n               The General Services Administration, Chief Information Officer, has developed an agencywide POA&M process. All four systems reviewed have\n               a POA&M and system and Agency POA&Ms included 125 of 128 weaknesses (97.6%). While almost all identified IT security weaknesses are\n POA&M process\n               managed in the POA&M process, a weakness identified by an OIG audit report related to the protection of PII was not included in the\n   comments:\n               Agency POA&M. See attached supplemental information.\n\n\n                                              Question 5: IG Assessment of the Certification and Accreditation Process\n\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including adherence to existing policy, guidance, and standards.\nProvide narrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" (May 2004) for certification\nand accreditation work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information and Information Systems"\n(February 2004) to determine a system impact level, as well as associated NIST document used as guidance for completing risk assessments and security plans.\n\n\n                     The IG rates the overall quality of the Agency\'s certification and accreditation process as:\n\n                     Response Categories:\n                      - Excellent\n        5.a.                                                                                                                               Satisfactory\n                      - Good\n                      - Satisfactory\n                      - Poor\n                      - Failing\n\n                     The IG\'s quality rating included or considered the following aspects of the          Security plan                                   X\n                     C&A process: (check all that apply)\n                                                                                                          System impact level                             X\n                                                                                                          System test and evaluation                      X\n                                                                                                          Security control testing                        X\n        5.b.\n                                                                                                          Incident handling                               X\n                                                                                                          Security awareness training                     X\n                                                                                                          Configurations/patching                         X\n                                                                                                          Other:\n                     GSA\xe2\x80\x99s certification and accreditation (C&A) process includes FIPS 199 system impact level determinations, security assessments, security control\n                     testing, incident handling, security awareness and training, and establishes standards for secure configurations. However, inconsistent\n   C&A process       implementation and insufficient management oversight of contractors continue to prevent GSA\'s IT security program from being fully effective in\n    comments:        identifying and managing risks for all systems and data. One of four systems reviewed this year did not adequately address minor\n                     applications in the C&A process. See attached supplemental information.\n\n\n\n\n                                                                                    A-4\n\x0c                                                 Section C - Inspector General: Questions 6, 7, and 8\nAgency Name:   General Services Administration\n                          Question 6-7: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n\n               Provide a qualitative assessment of the agency\'s Privacy Impact Assessment (PIA) process, as discussed in\n       6       Section D Question #5 (SAOP reporting template), including adherence to existing policy, guidance, and\n               standards.\n\n               Response Categories:\n                - Response Categories:                                                                                                            Satisfactory\n                - Excellent\n                - Good\n                - Satisfactory\n                - Poor\n                - Failing\n               GSA has a written policy or process for PIAs that addresses determining whether a PIA is needed, conducting a PIA, completing the PIA Report,\n               ensuring that systems owners and privacy and information technology experts participate in conducting the PIA, making PIAs available to the\n               public in the required circumstances, and making PIAs available in other than required circumstances. For each of the systems reviewed, a PIA\nComments:\n               has been completed that adheres to existing policy, guidance, and standards, if applicable. However, the Privacy Act Program has not yet\n               ensured that PII stored on laptops and servers or in databases or applications that are not considered part of a major IT system is identified and\n               protected. See attached supplemental information.\n\n       7       Provide a qualitative assessment of the agency\xe2\x80\x99s progress to date in implementing the provisions of M-07-16\n               Safeguarding Against and Responding to the Breach of Personally Identifiable Information.\n\n               Response Categories:\n                - Response Categories:\n                                                                                                                                                  Satisfactory\n                - Excellent\n                - Good\n                - Satisfactory\n                - Poor\n                - Failing\n\n               While a breach notification policy has been developed and implemented, the breach notification policy does not address the timeliness of the\n               notification of individuals affected by breaches and does not address who will notify affected individuals. Further, three of four M-06-16\nComments:      requirements reiterated in M-07-16 are not yet met. GSA conducted a survey of the use of PII/SSNs, which identified systems where the use\n               of PII/SSNs was superfluous, and those systems were informed that the use of PII/SSNs should be halted.\n               See attached supplemental information.\n\n                                                               Question 8: Configuration Management\n\n      8.a.     Is there an agency-wide security configuration policy? Yes or No.                                                                  Yes\nComments:\n               GSA\'s IT Security Policy requires all agency systems to use GSA technical guidelines, NIST guidelines, or industry best practices for purposes of security\n               configuration and hardening. See attached supplemental information. See attached supplemental information.\n\n               Approximate the extent to which applicable systems implement common security configurations, including\n      8.b.\n               use of common security configurations available from the National Institute of Standards and Technology\xe2\x80\x99s\n               website at http://checklists.nist.gov.                                                                                             Mostly (81-95% of the time)\n\n               Response categories:\n\n                -   Rarely- for example, approximately 0-50% of the time\n                -   Sometimes- for example, approximately 51-70% of the time\n                -   Frequently- for example, approximately 71-80% of the time\n                -   Mostly- for example, approximately 81-95% of the time\n                -   Almost Always- for example, approximately 96-100% of the time\n\n      8.c.     Indicate which aspects of Federal Desktop Core Configuration (FDCC) have been implemented as of this report:\n\n\n               c.1. Agency has adopted and implemented FDCC standard configurations and has documented deviations.\n                                                                                                                                                  Yes\n               Yes or No.\n\n               c.2 New Federal Acquisition Regulation 2007-004 language, which modified "Part 39\xe2\x80\x94Acquisition of\n                                                                                                                                                  Yes\n               Information Technology", is included in all contracts related to common security settings. Yes or No.\n\n               c.3 All Windows XP and VISTA computing systems have implemented the FDCC security settings. Yes or\n                                                                                                                                                  No\n               No.\n\n\n\n\n                                                                                    A-5\n\n\x0c                                                 Section C - Inspector General: Questions 9, 10 and 11\nAgency Name:        General Services Administration\n                                                                  Question 9: Incident Reporting\nIndicate whether or not the agency follows documented policies and procedures for reporting incidents internally, to US-CERT, and to law enforcement. If\nappropriate or necessary, include comments in the area provided below.\n\n                    The agency follows documented policies and procedures for identifying and reporting incidents internally.\n        9.a.                                                                                                                           Yes\n                    Yes or No.\n                    The agency follows documented policies and procedures for external reporting to US-CERT. Yes or No.\n       9.b.                                                                                                                            Yes\n                    (http://www.us-cert.gov)\n\n        9.c.        The agency follows documented policies and procedures for reporting to law enforcement. Yes or No.                 Yes\n\nComments:\n                    The GSA-CIO has developed a procedural guide that outlines the policies and procedures for incident handling and reporting across the Agency.\n                    Incident handling and reporting were generally consistent with this guide for the four systems we reviewed. See attached supplemental\n                    information.\n                                                            Question 10: Security Awareness Training\nHas the agency ensured security awareness training of all employees, including contractors and those employees with\nsignificant IT security responsibilities?\n\nResponse Categories:\n                                                                                                                                       Almost Always (96-100% of\n - Rarely- or approximately 0-50% of employees\n                                                                                                                                       employees)\n - Sometimes- or approximately 51-70% of employees\n - Frequently- or approximately 71-80% of employees\n - Mostly- or approximately 81-95% of employees\n - Almost Always- or approximately 96-100% of employees\n                                        Question 11: Collaborative Web Technologies and Peer-to-Peer File Sharing\n\nDoes the agency explain policies regarding the use of collaborative web technologies and peer-to-peer file sharing in IT security\n                                                                                                                                  Yes\nawareness training, ethics training, or any other agency-wide training? Yes or No.\n\n                                                        Question 12: E-Authentication Risk Assessments\n12.a. Has the agency identified all e-authentication applications and validated that the applications have operationally achieved\nthe required assurance level in accordance with the NIST Special Publication 800-63, \xe2\x80\x9cElectronic Authentication Guidelines\xe2\x80\x9d?           No\nYes or No.\n12.b. If the response is \xe2\x80\x9cNo\xe2\x80\x9d, then please identify the systems in which the agency has not\nimplemented the e-authentication guidance and indicate if the agency has a planned date of            One reviewed system, PBS Corporate, has not validated the\nremediation.                                                                                          operational assurance level of an e-authentication application,\n                                                                                                      and has a planned remediation date of January 30, 2009.\n                                                                                                      See attached supplemental information.\n\n\n\n\n                                                                                 A-6\n\x0cSupplemental Information \xe2\x80\x93 FY 2008 GSA OIG FISMA Reporting Template\n\nThis supplemental information provides a brief explanation of the basis for our responses to each \n \n\nquestion in the FY 2008 GSA OIG FISMA reporting template. \n \n\n\nQuestion 1\n \n\nThe GSA inventory of systems is maintained by the GSA-CIO. \n \n\n\nQuestion 2\n \n\nResponses to question 2 are based on our representative subset of four GSA systems. \n \n\n\nQuestion 3 \n\nQuestion 3.a \xe2\x80\x93We identified deficiencies with evaluated NIST SP 800-53 security controls for \n\none contractor system in our representative subset of GSA systems. Overall, insufficient \n\nmanagement oversight of contractors continue to prevent GSA\'s IT Security Program from being \n\nfully effective in identifying and managing risks for all systems and data, as evidenced by \n\nconfiguration management weaknesses and inconsistent contractor background investigations. \n\n\nQuestion 3.b \xe2\x80\x93 We did not identify any Exhibit 53 systems that are not included on the inventory. \n\nHowever, not all system interconnections were appropriately identified with systems reviewed \n\nthis year. One of the four systems we reviewed did not identify interfaces with other GSA \n\nsystems. Additionally, an FY 2008 audit of a GSA financial management system determined that \n\nthe certification and accreditation process for the system did not ensure that risks with sensitive \n\ndata and system interfaces were assessed and necessary controls implemented. \n\n\nQuestion 3.c \xe2\x80\x93 We did not identify any Exhibit 53 systems that are not included on the inventory. \n\n\nQuestion 3.d \xe2\x80\x93 We did not identify any Exhibit 53 systems that are not included on the inventory. \n\nHowever, instances of application service providers maintaining GSA data outside of the Exhibit \n\n53 process have been identified. Since these application service providers were not procured \n\nthrough an IT vehicle, they have no visibility in GSA\xe2\x80\x99s annual OMB Exhibit 53, which identifies \n\nGSA\xe2\x80\x99s IT investment portfolio. Neither the GSA Office of the Senior Agency Information \n\nSecurity Officer nor the Service Office of the CIO had any record of these applications. \n\n\nQuestion 3.e \xe2\x80\x93 The agency inventory has been updated at least annually. \n\n\nQuestion 3.f \xe2\x80\x93 We did not identify any Exhibit 53 systems that are not included on the inventory. \n\nSee comments in Question 3.d above. \n\n\nQuestion 4 \n\nQuestion 4.a \xe2\x80\x93 System and Agency POA&Ms included 125 of 128 weaknesses (97.6%). While \n\nalmost all identified IT security weaknesses are managed in the POA&M process, a weakness \n\nidentified by an OIG audit report related to the protection of PII was not included in the Agency \n\nPOA&M. \n\n\nQuestion 4.b \xe2\x80\x93 Across the four systems we reviewed, a total of 121 of 123 weaknesses (98.4%) \n\nwere included on system POA&Ms. \n\n\n\n\n                                               A-7                                                 \n\n\x0cQuestion 4.c \xe2\x80\x93 For each of the systems in our representative subset of GSA systems, the \n \n\nPOA&M is updated quarterly with the latest vulnerabilities and remediation progress. \n \n\n\nQuestion 4.d \xe2\x80\x93 All reviewed systems submitted POA&Ms on at least a quarterly basis.\n \n\n\nQuestion 4.e \xe2\x80\x93 The Agency POA&M included 34 of 35 (97.1%) IG findings related to GSA\xe2\x80\x99s \n \n\nAgency-wide Program. A weakness identified by an OIG audit report related to the protection of\n \n\nPII was not included in the Agency-wide POA&M. \n \n\n\nQuestion 4.f \xe2\x80\x93 Weaknesses were prioritized on all reviewed system POA&Ms. \n \n\n\nQuestion 5\n \n\nQuestion 5.a \xe2\x80\x93 GSA\xe2\x80\x99s certification and accreditation (C&A) process includes FIPS 199 system\n \n\nimpact level determinations, security assessments, security control testing, incident handling, \n \n\nsecurity awareness and training, and establishes standards for secure configurations. However, \n \n\ninconsistent implementation and insufficient oversight continue to prevent GSA\'s IT security\n \n\nprogram from being fully effective in identifying and managing risks for all systems and data. \n \n\nOne of four systems reviewed this year did not adequately address minor applications in the \n \n\nC&A process.\n \n\n\nQuestion 5.b \xe2\x80\x93 Our qualitative assessment included or considered the following aspects of the \n\nC&A process: security plan, system impact level, system test and evaluation, security control \n\ntesting, incident handling, security awareness training, and configurations/patching. \n\n\nQuestion 6 \n\nGSA has a written policy or process for PIAs that addresses determining whether a PIA is \n\nneeded, conducting a PIA, completing the PIA Report, ensuring that systems owners and privacy \n\nand information technology experts participate in conducting the PIA, making PIAs available to \n\nthe public in the required circumstances, and making PIAs available in other than required \n\ncircumstances. For each of the systems reviewed, a PIA has been completed that adheres to \n\nexisting policy, guidance, and standards, if applicable. However, the Privacy Act Program has \n\nnot yet ensured that PII stored on laptops and servers or in databases or applications that are not \n\nconsidered part of a major IT system is identified and protected. \n\n\nQuestion 7 \n\nWhile a breach notification policy has been developed and implemented, the breach notification \n\npolicy does not address the timeliness of the notification of individuals affected by breaches and \n\ndoes not address who will notify affected individuals. Further, three of four M-06-16 \n\nrequirements reiterated in M-07-16 are not yet met. GSA conducted a survey of the use of \n\nPII/SSNs, which identified systems where the use of PII/SSNs was superfluous, and those \n\nsystems were informed that the use of PII/SSNs should be halted. \n\n\nQuestion 8 \n\nQuestion 8.a - GSA\'s IT Security Policy requires all agency systems to use GSA technical \n\nguidelines, NIST guidelines, or industry best practices for purposes of security configuration and \n\nhardening. \n\n\nQuestion 8.b \xe2\x80\x93 Across the four systems we reviewed, we assessed implementation of common \n\nsecurity configurations for operating systems on 72 devices and found two not appropriately \n\n\n                                               A-8                                                 \n\n\x0csecured. In the same four systems, we assessed implementation of common security\nconfigurations for six databases and found three not appropriately secured. For this sample, 73\nof 78, or 94% of applicable NIST common security configurations were applied.\n\nQuestion 8.c.1 \xe2\x80\x93 An agency FDCC standard configuration has been established and deviations\nhave been documented and reported to OMB.\n\nQuestion 8.c.2 - FDCC settings have been established only for Windows XP and Vista. The\nFAR language referenced is effective March 31, 2008. GSA\xe2\x80\x99s common security settings-related\ncontract was established before the March 31, 2008 FAR clause, and, therefore, GSA has not\nissued any contracts that require the new FAR 2007-004 language.\n\nQuestion 8.c.3 - Not all GSA Windows XP computing systems have implemented FDCC\nsecurity settings.\n\nQuestion 9\nThe GSA-CIO has developed a procedural guide that outlines the policies and procedures for\nincident handling and reporting across the Agency. Incident handling and reporting were\ngenerally consistent with this guide for the four systems we reviewed.\n\nQuestion 10\nAs of September 9, 2008, the Office of the CIO confirmed that all users have completed security\nand awareness training. GSA\xe2\x80\x99s CIO administered security and awareness training program is\nlimited to the 14,957 individuals with an active GSA email account. System owners are\nresponsible for separately providing GSA\xe2\x80\x99s security training to those without GSA email\naccounts and this process is not being managed by the GSA IT security program. Fourteen\ncontractors without an active GSA email were identified that did not complete GSA\xe2\x80\x99s security\nand awareness training. All contractors who should be receiving IT security training have not\nbeen identified.\n\nQuestion 11\nGSA\xe2\x80\x99s IT security awareness training explains policies regarding the use of collaborative web\ntechnologies and peer-to-peer file sharing.\n\nQuestion 12\nOne reviewed system, PBS Corporate, has not validated the operational assurance level of an e-\nauthentication application, and has a planned remediation date of January 30, 2009.\n\n\n\n\n                                             A-9                                              \n\n\x0c                       FY 2008 OFFICE OF INSPECTOR GENERAL \n \n\n                       FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION \n \n\n                         TECHNOLOGY SECURITY PROGRAM \n \n\n                         REPORT NUMBER A080081/O/T/F08016 \n \n\n\n                                               APPENDIX B\n \n\n\n  SYSTEM SECURITY AUDITS CONDUCTED BY THE OFFICE OF INSPECTOR \n \n\n                         GENERAL IN 2008\n \n\n\n     System                 Owner                                          Description\n                                                PBS Corporate, also known as the Enterprise Service Center\n                                                (ESC), is a general support system categorized as moderate risk.\n                                                PBS Corporate is a federal system that is operated by contractors\n                                                and owned by the Public Buildings Service. The system includes\n                    Public Buildings Service\n PBS Corporate                                  41 minor applications and hosts PBS\xe2\x80\x99s national applications,\n                              (P)\n                                                including eLease, IRIS, and OA Tool. PBS Corporate provides the\n                                                hardware and the necessary facilities for the operation of all of its\n                                                applications and provides common security controls for PBS\n                                                national applications.\n                                                The Region 7 LAN provides network connectivity services within\n                         Office of the          the Ft. Worth, Texas, Regional Office Building and for field offices\n                                                throughout the five state region, and encompasses user\n                       Chief Information\n Region 7 LAN                                   workstations, telecommunications equipment (including hubs and\n                           Officer\n                                                switches), and test platforms. The Region 7 LAN is a general\n                              (I)               support system categorized as moderate risk owned by the GSA\n                                                Office of the CIO.\n                                                The OGC LAN supports activities for the OGC and the Office of\n                                                Civil Rights by providing connectivity and electronic\n                          Office of             communications for the purpose of legal research, word\nOffice of General\n                       General Counsel          processing, document management, file sharing, and Internet\n Counsel (OGC)\n                             (L)                connectivity. The OGC LAN is a general support system\n      LAN                                       categorized as low risk, owned and operated by the OGC. The\n                                                system includes approximately 17 application, database, web\n                                                portal, and file servers.\n                                                RBA supports GSA\xe2\x80\x99s acquisition-related, financial processing\n                                                worth billions of dollars to GSA. RBA is made up of two\n                                                components, IT Solutions Shop (ITSS) and Integrated Task Order\nRegional Business     Federal Acquisition\n                                                Management System (ITOMS), which are supported by the\n  Applications             Service\n                                                Common Oracle Database (CODB) as the data repository for both\n     (RBA)                    (Q)               systems. RBA is a contractor system owned by the FAS, Office of\n                                                the Chief Information Officer, and is a major application\n                                                categorized as a moderate risk system.\n\n\n\n\n                                                    B-1                                                                 \n\n\x0c  FY 2008 OFFICE OF INSPECTOR GENERAL\n  FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n    TECHNOLOGY SECURITY PROGRAM\n    REPORT NUMBER A080081/O/T/F08016\n\n              APPENDIX C\n\nGSA CIO\xe2\x80\x99S RESPONSE TO DRAFT AUDIT REPORT\n\n\n\n\n                  C-1\n\x0c                                 FY 2008 OFFICE OF INSPECTOR GENERAL \n \n\n                                 FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION \n \n\n                                   TECHNOLOGY SECURITY PROGRAM \n \n\n                                   REPORT NUMBER A080081/O/T/F08016 \n \n\n\n                                                           APPENDIX D\n \n\n\n                                                 REPORT DISTRIBUTION\n\n\n                                                                                                                                  Copies            \n\n\nChief Information Officer (I) .......................................................................................................3 \n \n\n\nCommissioner, Public Buildings Service (P)...............................................................................1 \n \n\n\nCommissioner, Federal Acquisition Service (Q) .........................................................................1 \n \n\n\nGeneral Counsel (L).....................................................................................................................1 \n \n\n\nChief Acquisition Officer (V) .....................................................................................................1 \n \n\n\nChief Human Capital Officer (C) ................................................................................................1 \n \n\n\nRegional Administrator, Greater Southwest Region (7A) ...........................................................1 \n \n\n\nInternal Control and Audit Division (BEI) ..................................................................................1 \n \n\n\nAssistant Inspector General for Auditing (JA and JAO) .............................................................2 \n \n\n\nDeputy Assistant Inspector General for Finance and Administrative Audits (JA-F) ..................1 \n \n\n\nDeputy Assistant Inspector General for Real Property Audits (JA-R) ........................................1 \n \n\n\nDeputy Assistant Inspector General for Acquisition Audits (JA-A) ...........................................1 \n \n\n\nAdministration and Data Systems Staff (JAS).............................................................................1 \n \n\n\nAssistant Inspector General for Investigations (JI) ......................................................................1 \n \n\n\n\n\n\n                                                                   D-1\n                                                                         \n\n\x0c'